Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site-Request-Forgery #4824

Closed
lvca opened this issue Aug 19, 2015 · 2 comments
Closed

Cross-Site-Request-Forgery #4824

lvca opened this issue Aug 19, 2015 · 2 comments
Assignees
@lvca
Labels
enhancement
Milestone
2.2.0-beta

Comments

@lvca
Copy link
Member

lvca commented Aug 19, 2015

The OrientDB-Server allows the usage of a parameter for the name of a callback-function in
http-requests. If such a parameter is used in a http-request the server sends the http-response to
the function which is specified in the parameter. This can be used to construct a malicious webpage
which sends a get-request to the OrientDB-server in order to get some content. An attacker can read
the http-response, because of the allowed callback-function-parameter.
The OrientDB-server provides an interface to request specific entries of a database with the
http-method GET.

For example the URL http://localhost:2480/document/test/5:1 response with JSON data of the record
5:1. In the case of record 5:1 its the information about the reader account with the hashed
password.

{"@type":"d","@rid":"#5:1","@version":1,"@class":"OUser","name":"reader","password":"{SHA-256}3D0941
964AA3EBDCB00CCEF58B1BB399F9F898465E9886D5AEC7F31090A0FB30","status":"ACTIVE","roles":["#4:1"],"@fie
ldTypes":"roles=n"}
@lvca lvca self-assigned this Aug 19, 2015
@lvca lvca added this to the 2.2 milestone Aug 19, 2015
lvca added a commit that referenced this issue Aug 20, 2015
@lvca
Fixed issue #4824 by disabling JSONP support by default
d5a45e6
lvca added a commit that referenced this issue Aug 20, 2015
@lvca
Fixed issue #4824 about disabling JSONP support
f11dbce
lvca added a commit that referenced this issue Aug 20, 2015
@lvca
Fixed issue #4824 - JSONP is disabled by default
5dbd603
@lvca
Copy link
Member Author

lvca commented Aug 20, 2015

Fixed by disabling JSONP support by default. To enable it set -Dnetwork.http.jsonp=true

@lvca lvca closed this as completed Aug 20, 2015
@Wirone
Copy link

Wirone commented Nov 30, 2015

How does it fix the real issue? If I need JSONP and enable it, I expose data to CSRF attacks?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lvca lvca

Labels
enhancement
Milestone
2.2.0-beta
Development

No branches or pull requests
2 participants
@lvca @Wirone